Idea #2873: Permission links are owned by root; ability to lookup/modify is determined by current user permission on "head" object - Arvados

Idea #2873

Todo 
 * Set owner_uuid to system_user_uuid on all permission links. This prevents users from having permission to view/alter permission links by virtue of having created them. 
 * Add get_permissions action to API server's ApplicationController. It accepts a single uuid and responds with a list of all permission links whose head_uuid is equal to the specified uuid. 
 ** respond 404 if the object with the specified uuid does not exist _or_ is not readable by the current user (using the same before_filter stuff as the "show" action should take care of this) 
 ** respond 403 if the current user does not have @manage@ permission on the specified uuid _or_ the referenced object's owner_uuid

Back

Project

General

Profile

Arvados

Idea #2873